RequestHeader set X-Forwarded-Scheme https early
RequestHeader set X-Scheme https early
RequestHeader set X-Forwarded-Proto https early
ProxyPreserveHost On

RewriteEngine on
RewriteRule ^/signatures/(.*) /srv/web/registry-signatures/$1 [L]

{% if env == "production" %}
RewriteCond %{HTTP:VIA} !cdn77
RewriteCond %{REQUEST_METHOD} !^(PATCH|POST|PUT|DELETE|HEAD)$
RewriteRule ^/v2/(.*)/blobs/([a-zA-Z0-9:]*) https://cdn.registry.fedoraproject.org/v2/$1/blobs/$2 [R]
{% endif %}

# This is terible, but Docker.
RewriteCond %{REQUEST_METHOD} ^(PATCH|POST|PUT|DELETE)$
RewriteRule ^/v2/(.*)$ http://docker-registry02:5000/v2/$1 [P,L]
RewriteRule ^/v2/(.*)$ http://localhost:6081/v2/$1 [P,L]

DocumentRoot /srv/web/registry-index/

<Directory /srv/web/registry-index>
    Require all granted
</Directory>

SSLVerifyClient optional
SSLVerifyDepth 1
SSLCACertificateFile /etc/pki/httpd/registry-ca-{{env}}.cert
SSLOptions +FakeBasicAuth

<Directory /srv/web/registry-signatures>
    Require all granted
</Directory>


<Location /v2>
  Order deny,allow
  Allow from all
  AuthName "Registry Authentication"
  AuthType Basic
  AuthUserFile /etc/httpd/conf.d/registry.fedoraproject.org/passwd

  # Anyone can read
  <Limit GET HEAD>
    Require all granted
  </Limit>

  # Write access to docker-deployer only
  <Limit POST PUT DELETE>
    Require valid-user
  </Limit>

</Location>
